Welcome to NulledBlog
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Decrypting Simple Single-Key XOR Encrypted Windows Executables

Posted 16 April 2016 - 05:31 AM

Offline

Red Vice

Posts:

28

Reputation:

29

Joined:

02 Apr, 2015

Today in this tutorial, I'm going to demonstrate with pseudocode on how to decrypt Windows executable files that use simple XOR encryption. The decryption process relies less on logic, but more on bruteforcing.

Background

XOR is used in various types of encryption, and is sometimes used as it's own encryption in it's raw form without any supporting algorithms. When binary values at the same index are equal, it's 0, when they're opposites it's 1 (For XOR).

Let's take two binary values called data and key:

Data: 01100101

Key: 00101011

The result is: 01001110

Need to know:

Windows executable files will usually start with two bytes, 0x4D and 0x5A which in ASCII are "MZ". This is a file format to differentiate between COM files and executables.

How It's Used in Programs

Some programs will use XOR encryption on their bytes, XOR can be used to encrypt whole files, a character, a string, a portion of a file, etc...

Now that EncryptedFile has been encrypted with a key between 0 and 255, the file format at the beginning of a file 0x00000000 and 0x00000001 won't be "MZ" but something random like "%:". This would be an algorithm to get the key from just the first two bytes and then decrypt the entire file. *pseudocode*

Navigation

Nulled Blog does not provide electronic versions of materials, we will publish a description of releases with reference to the file exchange directory, so the administration of the project is not responsible for the use of materials in the future. The files are not stored on our server!